US8245304B1 - Autonomous system-based phishing and pharming detection - Google Patents
Autonomous system-based phishing and pharming detection Download PDFInfo
- Publication number
- US8245304B1 US8245304B1 US11/426,554 US42655406A US8245304B1 US 8245304 B1 US8245304 B1 US 8245304B1 US 42655406 A US42655406 A US 42655406A US 8245304 B1 US8245304 B1 US 8245304B1
- Authority
- US
- United States
- Prior art keywords
- client
- address
- supplied
- computer
- autonomous system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active - Reinstated, expires
Links
- 238000001514 detection method Methods 0.000 title claims description 14
- 238000000034 method Methods 0.000 claims abstract description 33
- 238000004519 manufacturing process Methods 0.000 claims description 13
- 238000013459 approach Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 230000001010 compromised effect Effects 0.000 description 5
- 230000000246 remedial effect Effects 0.000 description 5
- 230000004075 alteration Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 238000005352 clarification Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Definitions
- Phishing and pharming represent fraudulent techniques to obtain confidential information (such as user name, password, credit card information, etc.) from computer users for misuse.
- confidential information such as user name, password, credit card information, etc.
- the phisher sends an apparently official electronic communication (such as an official looking email) to the victim.
- an official looking email such as an official looking email
- the email would typically come from an XYZ bank email address and contain official-looking logos and language to deceive the victim into believing that the email is legitimate.
- the phisher's email typically includes language urging the victim to access the website of XYZ bank in order to verify some information or to confirm some transaction.
- the email also typically includes a link for use by the victim to supposedly access the website of XYZ bank.
- the victim clicks on the link included in the email the victim is taken instead to a sham website set up in advance by the phisher.
- the sham website would then ask for confidential information from the victim. Since the victim had been told in advance that the purpose of clicking on the link is to verify some account information or to confirm some transaction, many victims unquestioningly enter the requested information.
- the phisher can subsequently employ the information to perpetrate fraud on the victim by stealing money from the victim's account, by purchasing goods using the account funds, etc.
- phishers actually divert the victim to another website other than the website of the legitimate business that the victim intended to visit, some knowledgeable users may be able to spot the difference in the website domain names and may become alert to the possibility that a phishing attack is being attempted. For example, if a victim is taken to a website whose domain name “http://218.246.224.203/icons/cgi-bin/xyzbank/login.php” appears in the browser's URL address bar, that victim may be alert to the fact that the phisher's website URL address is different from the usual “http://www.xyzbank.com/us/cgi-bin/login.php” and may refuse to furnish the confidential information out of suspicion.
- Pharming may be thought of as a specialized type of phishing attack in which there are, from the victim's perspective, no detectable changes to the domain name.
- the local DNS cache or DNS server is compromised, allowing a pharmer to associate a legitimate domain name (e.g., xyzbank.com) with the IP address associated with a sham website operated by pharmer.
- the DNS caches or DNS servers are mechanisms that are responsible for resolving domain names into IP addresses
- the compromised DNS cache or DNS server would associate the host name xyzbank.com with the IP address 218.246.224.203 (i.e., the IP address of the fraudster's website in the previous example).
- the compromised DNS cache or DNS server would translate this URL address to the IP address 218.246.224.203 that is associated with the pharmer's sham website.
- the domain address shown on the web browser's URL address bar still shows “http://www.xyzbank.com . . . ”. Therefore, it is impossible even for the most astute computer user to detect that a pharming attack is taking place.
- One approach to detecting phishing and pharming relies on detecting the fraudster's URL signature (e.g., domain name and/or other characteristics), which may be acquired over time from spam emails and user reports.
- this approach is passive since it relies on the cooperation of users and can only detect known phishers. For newly created phishing websites, detection is not possible until the fraudster's URL signature is collected, such as after a user reports a phishing attack.
- IP address white list Another approach is to maintain an IP address list of well-known websites (i.e., an IP address white list), and to compare the IP address of an unknown website with the IP address white list. If the IP address of the unknown website is not in the IP address white list, the unknown website is flagged as potential phisher.
- IP address white list is time-consuming. Further, individuals and organizations often change their IP addresses for legitimate reasons. Since it is impossible to update the IP address white list in real time to keep up with IP address changes (assuming that the changes are reported at all), this approach is error-prone and suffers from a high percentage of false alarms.
- the invention relates, in an embodiment, to a computer-implemented method for detecting an attempt to perpetrate fraud on a user.
- the method includes receiving a client-supplied link and a client-supplied IP address from a user computer.
- the client-supplied link represents a link to a target website which the user is attempting to access.
- the client-supplied IP address represents an IP address ascertained by the user computer to be an IP address associated with the target website.
- the method also includes ascertaining a first autonomous system number (“first AS number”) from the client-supplied IP address.
- the method further includes ascertaining a second autonomous system number (“second AS number”) from the client-supplied link. If the first AS number and the second AS number do not represent AS group peers, the method includes providing a warning to the user computer to alert the user of a first potential fraud being attempted.
- the invention in another embodiment, relates to a computer-implemented method for detecting an attempt to perpetrate fraud on a user.
- the method includes receiving a client-supplied IP address from a user computer.
- the client-supplied IP address representing an IP address ascertained by the user computer to be an IP address associated with a target website which the user is attempting to access.
- the method includes ascertaining a first autonomous system number (“first AS number”) from the client-supplied IP address.
- the method additionally includes analyzing a content of a webpage that is accessed using the client-supplied IP address to ascertain an identity of an apparent owner of the webpage.
- the method also includes ascertaining a second autonomous system number (“second AS number”) from the identity of the apparent owner of the webpage. If the first AS number and the third AS number do not represent AS group peers, the method includes providing a warning to the user computer to alert the user of a potential fraud being attempted.
- FIG. 1 shows, in accordance with an embodiment of the present invention, a system-view of the AS-based Phishing/Pharming Detection Arrangement (APDA), including both the APD agent and the APD service;
- APDA Phishing/Pharming Detection Arrangement
- FIG. 2 shows, in accordance with an embodiment of the present invention, the steps taken by the APD agent to ensure safe website access
- FIG. 3 shows in accordance with an embodiment of the present invention, the steps taken by the APD service to determine whether a website is safe to access from phishing and pharming risks;
- FIG. 4 shows in accordance with an embodiment of the present invention, the steps taken by the APD service to determine whether a website is safe to access from phishing risks
- FIG. 5 shows in accordance with an embodiment of the present invention, the steps taken by the APD service to determine whether a website is safe to access from pharming risks.
- the invention might also cover articles of manufacture that includes a computer readable medium on which computer-readable instructions for carrying out embodiments of the inventive technique are stored.
- the computer readable medium may include, for example, semiconductor, magnetic, opto-magnetic, optical, or other forms of computer readable medium for storing computer readable code.
- the invention may also cover apparatuses for practicing embodiments of the invention. Such apparatus may include circuits, dedicated and/or programmable, to carry out tasks pertaining to embodiments of the invention. Examples of such apparatus include a general-purpose computer and/or a dedicated computing device when appropriately programmed and may include a combination of a computer/computing device and dedicated/programmable circuits adapted for the various tasks pertaining to embodiments of the invention.
- AS Autonomous System
- the AS-based Phishing Detection Arrangement comprises two main components: a client-side agent and an external service.
- the client-side agent referred to herein as the AS-based Phishing Detection agent or APD agent, represents the software and/or hardware residing in the user's computer that intercepts attempted website access and suspends such attempt until a determination is made that the attempted access is safe.
- the user computer can be any network accessible device that is capable of accessing internet sites, e.g., a desktop computer, a laptop or palmtop computer, a cellular phone, an electronic personal digital assistance (PDA) or any other network accessible device.
- PDA electronic personal digital assistance
- the ADP agent forwards the target website's URL link and the target website's IP address to the AS-based Phishing Detection service (APD service).
- API service AS-based Phishing Detection service
- the target website's IP address is ascertained by the user's computer (in cooperation with DNS servers) from the target website's URL link. For example, if the target website's URL link is “http://otherxyzbank.com/index.html”, the user computer may employ the host name www.otherxyzbank.com, which it ascertains from the target website's URL link, to query DNS servers (or the local DNS cache) and to obtain the target website's IP address. If the URL link is already in IP format, for example, http://1.2.3.4/index.html, DNS resolve is not needed.
- an autonomous system is one network or sets of networks under a single administrative control.
- An autonomous system may be, for example, the set of all computer networks owned by a company, or a college. Companies and organizations may own more than one autonomous system, but the idea is that each autonomous system is managed independently for routing purposes, such as for use by routing protocols such as BGP (Border Gateway Protocol). Since it is possible for a company or organization (i.e., entity) to own more than one Autonomous system, the set of autonomous systems owned by a single entity is referred to herein as an Autonomous System group (“AS group”).
- BGP Border Gateway Protocol
- An Autonomous System path (“AS path”) is a list of all the autonomous systems that a specific route passes through to reach a destination.
- the AS path is displayed as a series of autonomous system (AS) numbers separated by spaces, with the originator's AS number at the end of the path, and the next AS hop from the current router's location in the beginning of the path.
- AS path autonomous system
- the APD service is external to the user computer and may be implemented by servers coupled to the internet, for example.
- the APD service receives the target website's URL link and the target website's IP address from the user's computer to analyze whether the attempted access is safe.
- the target website's URL link and the target website's IP address received from the user's computer are referred to herein as the client-supplied URL link and the client-supplied IP address respectively.
- the APD service then employs the client-supplied IP address to look up an associated Autonomous System (AS) path.
- AS path is built with the last AS number being the seed and additional AS numbers appended to this last AS number as the path is built from AS hop to AS hop.
- the last AS number in this AS path is designated AS 1 and represents the Autonomous System associated with the client-supplied IP address. Autonomous Systems, AS paths and AS numbers will be discussed in details later herein.
- the APD then analyzes the client-supplied URL link to resolve a host name, from which an IP address is obtained via DNS servers. For clarity, this IP address, which the APD server resolves from the host name that is included in the client-supplied URL link, is called the server-resolved IP address.
- the APD service then employs the server-resolved IP address to look up an associated Autonomous System (AS) path.
- AS Autonomous System
- AS 2 The last AS number in this second AS path. Note that the second AS path is obtained by the APD service independently using the client-supplied URL link (i.e., not from the client-supplied IP address).
- AS 1 and AS 2 belong in the same AS group (i.e., they are AS group peers), it is still possible that a phishing attack exists. Accordingly, a further check is performed.
- the content of the target webpage associated with the client-supplied IP address is analyzed to ascertain the identity of the legitimate host (e.g., xyzbank). Since fraudsters want to deceive their victims into believing that the victim is viewing the website belonging to the legitimate host (e.g., xyzbank), a fraudster would include information on the webpage that would look familiar to the victim in order to avoid raising suspicion.
- the sham webpage presented by the fraudster would include, for example, the logo of XYZ bank, the address and phone numbers of XYZ bank, etc.
- the apparent owner identity gleaned from the webpage content would be the same as the actual owner of the website, i.e., the legitimate host. If a phishing fraud is being attempted, the apparent owner (i.e., the legitimate host) would be different from the actual owner (i.e., the phisher or fraudster).
- the legitimate host information is then employed to map into a legitimate host domain name (e.g., xyzbank.com).
- the legitimate host domain name e.g., xyzbank.com
- the legitimate host domain name is then employed to ascertain the legitimate host's IP address via DNS servers.
- the legitimate host's IP address is then employed to obtain the AS path.
- the last AS number of this AS path is designated AS 3 .
- AS group peers If AS 3 and the previously-determined AS 1 do not belong in the same AS group (referred to herein as “AS group peers”), a phishing attack is deemed to be in progress, and the APD agent is notified so that appropriate remedial steps may be taken. If AS 1 , AS 2 and AS 3 all belong in the same group, then the target website is deemed to be safe for use.
- FIG. 1 j shows, in accordance with an embodiment of the present invention, a system-view of the AS-based Phishing/Pharming Detection Arrangement (APDA), including both APD agent 108 and APD service 122 .
- APD agent 108 represents the software agent installed in the client computer 102 (which may include a laptop computer, a desktop computer, a hand-held computing device, or even a web-enabled cell phone) for intercepting attempted website accesses and suspending acting on such attempts until a determination that such attempt is safe has been made.
- APD agent 108 may represent a plug-in that works cooperatively with the web browser in client computer 102 to intercept website accesses.
- APD agent may also represent any software and/or hardware implementation that is capable of intercepting a website access attempt and suspending such attempted access until a safe signal is received from APD service before proceeding.
- APD agent 108 Upon detecting an attempted website access (e.g., when the user clicks on a link that links to “http://www.otherxyzbank.com” or when the user types in the URL “http://www.otherxyzbank.com” into the URL address bar of a web browser) APD agent 108 causes client computer 102 to suspend the attempted access (e.g., by temporarily suspending the attempt by the browser). Next, APD agent 108 or client computer 102 resolves the IP address of the target website (i.e., otherxyzbank.com) by accessing the local DNS cache or DNS servers (which may be provided by the internet service provider or ISP, for example).
- the target website i.e., otherxyzbank.com
- the IP address is resolved by ascertaining the host name from the URL link, and looking up the IP address using the host name and the local DNS cache or DNS servers.
- This resolved IP address represents the target website's IP address and is referred to herein as the client-provided IP address (since the client computer obtains this IP address and will subsequently furnishes this IP address to the APD service for detection purposes).
- the target website's URL link is referred to herein as the client-supplied URL link.
- APD front-end server 110 first employs the client-supplied IP address to resolve down to an AS path.
- BGP Border Gateway Protocol
- BGP is a well-known protocol and is widely published in publicly available documents including Request for Comments (RFCs), which are documents maintained by the Internet Society or ISOC.
- RFC 1771 and the subsequent RFC 4271 discuss BGP in details and may be viewed at, for example, the official website (www.ietf.org) for the Internet Engineering Taskforce, also known as the IETF.
- APD front-end server 110 consults BGP table 116 (which represents a database storing BGP table router dump) to determine the AS path from the client-supplied AS path.
- BGP table 116 represents a database storing BGP table router dump
- the last number of the AS path is ascertained and designated AS 1 .
- the BGP table be implemented in a database. While the use of a BGP table can provide IP to AS number mapping. such mappings be implemented by any technology such as database, a program to obtain AS number of a given IP in realtime, etc.
- APD front-end server 110 independently resolves the IP address from the client-supplied URL link. This server-resolved IP address is then employed to ascertain a second AS path, using, for example, BGP table 116 . The last number of the second AS path is ascertained and designated AS 2 . Note that since AS 1 is acquired using the client-supplied IP address and AS 2 is acquired using the server-resolved IP address, AS 2 is likely to be different from AS 1 if the user's local DNS cache or DNS server service associated with the user is compromised as in the case of a pharming attack.
- AS 1 and AS 2 do not belong in the same AS group, a pharming attack is deemed to be in progress, and the APD agent is notified so that appropriate remedial steps may be taken.
- APD front-end server 110 performs a further check by first analyzing the content of the webpage associated with the client-supplied IP address. As discussed, since fraudsters almost always include information on the sham webpage to impersonate the legitimate host, the included information may be employed to ascertain the legitimate host. The legitimate host information is then employed to map into a legitimate host domain name (e.g., xyzbank.com), from which the legitimate host's IP address may be obtained via DNS servers. The legitimate host's IP address is then employed to obtain the AS path. The AS number of this third AS path is designated AS 3 .
- a legitimate host domain name e.g., xyzbank.com
- AS 1 and AS 3 do not belong in the same AS group, a phishing attack is deemed to be in progress, and the APD agent is notified so that appropriate remedial steps may be taken.
- FIG. 2 shows, in accordance with an embodiment of the present invention, the steps taken by the APD agent to ensure safe website access.
- the APD agent intercepts the attempted website access and suspends the attempted access.
- the APD agent resolves the IP address from the host name, which is obtained from the URL link.
- the APD agent sends the target website's IP address and the target website's URL link to the APD service for analysis.
- the APD analysis result is received. If the analysis result indicates that the attempted access is not safe ( 216 ) due to either phishing or pharming, remedial actions may be taken.
- the user is warned of the phishing or pharming attack, and the fraudulent website is blocked from further access (step 218 ).
- the APD agent permits access ( 220 ) and the user can begin to browse the target website.
- FIG. 3 shows in accordance with an embodiment of the present invention, the steps taken by the APD service to determine whether a website is safe to access.
- the client-supplied IP address and the client-supplied URL string are received from the APD agent.
- the AS path is looked up in the BGP database using the client-supplied IP address. The last AS number in the AS path is taken as AS 1 .
- the server-resolved IP address is employed to look up the AS path from the BGP database.
- the server-resolved IP address represents the IP address resolved by the APD service from the host name obtained from the client-supplied URL string.
- the last AS number from this second AS path is designated AS 2 .
- step 312 it is ascertained whether AS 1 and AS 2 belong in the same AS group. If they do not belong in the same AS group (the “NO” branch out of 312 ), a pharming attack is deemed to be underway, and the APD agent is appropriately warned ( 324 ).
- step 314 the content of the webpage associated with the client-supplied IP address is analyzed to obtain the identity of the legitimate host.
- the content of the sham webpage almost always includes information about the legitimate host in an effort to deceive the victim into believing that the victim is actually viewing a webpage on the legitimate host's website.
- the webpage in fact belongs to the legitimate host, the information pertaining to the legitimate host would be present.
- the domain name of the legitimate host may be acquired (using any number of available look-up engines, for example).
- the domain name is then employed to look up the IP address (using DNS servers for example) and the AS path (using for example BGP tables).
- the last number of this third AS path is designated AS 3 .
- step 318 it is ascertained whether AS 1 and AS 3 belong in the same AS group. If they do not belong in the same AS group (the “NO” branch out of 312 ), a phishing attack is deemed to be underway, and the APD agent is appropriately warned ( 322 ).
- FIG. 4 shows, in accordance with an embodiment of the present invention, a flowchart illustrating the phishing-only detection. Likewise, if only pharming is desired steps 314 , 316 , 318 , 320 , and 322 can be eliminated.
- FIG. 5 shows, in accordance with an embodiment of the present invention, a flowchart illustrating the pharming-only detection.
- embodiments of the invention employ AS path information to detect phishing and/or pharming attacks. Since AS paths are updated in real time in internet routers, embodiments of the invention can accurately ascertain the existence of a possible attack with a low rate of false alarms even if IP addresses associated with hosts' websites change. In so doing, embodiments of the invention avoid the disadvantages associated with passive, delay-prone approaches such as IP white list or URL signature matching.
- embodiments of the invention enable the APD service to employ the client-supplied IP address, the client supplied URL link, the server-resolved IP address, and the IP address obtained via content analysis of the webpage pointed to by the client-supplied IP address, to perform independent verifications to efficiently detect phishing and/or pharming attacks.
Abstract
Methods for detecting an attempt to perpetrate fraud on a user utilizing a client-supplied link and a client-supplied IP address from a user computer. The method ascertains a first autonomous system number (“first AS number”) from the client-supplied IP address and a second autonomous system number (“second AS number”) from the client-supplied link. If the first AS number and the second AS number are not AS group peers, a pharming attempt is detected. Alternatively or additionally, the method includes analyzing a content of a webpage that is accessed using the client-supplied IP address to ascertain an identity of an apparent owner of the webpage and ascertaining a third autonomous system number (“third AS number”) from the identity of the apparent owner of the webpage. If the first AS number and the third AS number are not AS group peers, a phishing attempt is detected.
Description
Phishing and pharming represent fraudulent techniques to obtain confidential information (such as user name, password, credit card information, etc.) from computer users for misuse. In phishing, the phisher sends an apparently official electronic communication (such as an official looking email) to the victim. For example, if a phisher wishes to obtain confidential information to access a victim's account at XYZ bank, the email would typically come from an XYZ bank email address and contain official-looking logos and language to deceive the victim into believing that the email is legitimate.
Further, the phisher's email typically includes language urging the victim to access the website of XYZ bank in order to verify some information or to confirm some transaction. The email also typically includes a link for use by the victim to supposedly access the website of XYZ bank. However, when the victim clicks on the link included in the email, the victim is taken instead to a sham website set up in advance by the phisher. The sham website would then ask for confidential information from the victim. Since the victim had been told in advance that the purpose of clicking on the link is to verify some account information or to confirm some transaction, many victims unquestioningly enter the requested information. Once the confidential information is collected by the phisher, the phisher can subsequently employ the information to perpetrate fraud on the victim by stealing money from the victim's account, by purchasing goods using the account funds, etc.
Because phishers actually divert the victim to another website other than the website of the legitimate business that the victim intended to visit, some knowledgeable users may be able to spot the difference in the website domain names and may become alert to the possibility that a phishing attack is being attempted. For example, if a victim is taken to a website whose domain name “http://218.246.224.203/icons/cgi-bin/xyzbank/login.php” appears in the browser's URL address bar, that victim may be alert to the fact that the phisher's website URL address is different from the usual “http://www.xyzbank.com/us/cgi-bin/login.php” and may refuse to furnish the confidential information out of suspicion.
Pharming may be thought of as a specialized type of phishing attack in which there are, from the victim's perspective, no detectable changes to the domain name. In a pharming attack, the local DNS cache or DNS server is compromised, allowing a pharmer to associate a legitimate domain name (e.g., xyzbank.com) with the IP address associated with a sham website operated by pharmer. Since the DNS caches or DNS servers are mechanisms that are responsible for resolving domain names into IP addresses, the compromised DNS cache or DNS server would associate the host name xyzbank.com with the IP address 218.246.224.203 (i.e., the IP address of the fraudster's website in the previous example). Accordingly, when the victim types in the URL address www.xyzbank.com, the compromised DNS cache or DNS server would translate this URL address to the IP address 218.246.224.203 that is associated with the pharmer's sham website. Thus, even though the victim is taken to the pharmer's website, the domain address shown on the web browser's URL address bar still shows “http://www.xyzbank.com . . . ”. Therefore, it is impossible even for the most astute computer user to detect that a pharming attack is taking place.
One approach to detecting phishing and pharming relies on detecting the fraudster's URL signature (e.g., domain name and/or other characteristics), which may be acquired over time from spam emails and user reports. However, this approach is passive since it relies on the cooperation of users and can only detect known phishers. For newly created phishing websites, detection is not possible until the fraudster's URL signature is collected, such as after a user reports a phishing attack.
Another approach is to maintain an IP address list of well-known websites (i.e., an IP address white list), and to compare the IP address of an unknown website with the IP address white list. If the IP address of the unknown website is not in the IP address white list, the unknown website is flagged as potential phisher. However, the maintenance of such an IP address white list is time-consuming. Further, individuals and organizations often change their IP addresses for legitimate reasons. Since it is impossible to update the IP address white list in real time to keep up with IP address changes (assuming that the changes are reported at all), this approach is error-prone and suffers from a high percentage of false alarms.
The invention relates, in an embodiment, to a computer-implemented method for detecting an attempt to perpetrate fraud on a user. The method includes receiving a client-supplied link and a client-supplied IP address from a user computer. The client-supplied link represents a link to a target website which the user is attempting to access. The client-supplied IP address represents an IP address ascertained by the user computer to be an IP address associated with the target website. The method also includes ascertaining a first autonomous system number (“first AS number”) from the client-supplied IP address. The method further includes ascertaining a second autonomous system number (“second AS number”) from the client-supplied link. If the first AS number and the second AS number do not represent AS group peers, the method includes providing a warning to the user computer to alert the user of a first potential fraud being attempted.
In another embodiment, the invention relates to a computer-implemented method for detecting an attempt to perpetrate fraud on a user. The method includes receiving a client-supplied IP address from a user computer. The client-supplied IP address representing an IP address ascertained by the user computer to be an IP address associated with a target website which the user is attempting to access. The method includes ascertaining a first autonomous system number (“first AS number”) from the client-supplied IP address. The method additionally includes analyzing a content of a webpage that is accessed using the client-supplied IP address to ascertain an identity of an apparent owner of the webpage. The method also includes ascertaining a second autonomous system number (“second AS number”) from the identity of the apparent owner of the webpage. If the first AS number and the third AS number do not represent AS group peers, the method includes providing a warning to the user computer to alert the user of a potential fraud being attempted.
These and other features of the present invention will be described in more detail below in the detailed description of the invention and in conjunction with the following figures.
The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:
The present invention will now be described in detail with reference to a few embodiments thereof as illustrated in the accompanying drawings. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art, that the present invention may be practiced without some or all of these specific details. In other instances, well known process steps and/or structures have not been described in detail in order to not unnecessarily obscure the present invention.
Various embodiments are described herein below, including methods and techniques. It should be kept in mind that the invention might also cover articles of manufacture that includes a computer readable medium on which computer-readable instructions for carrying out embodiments of the inventive technique are stored. The computer readable medium may include, for example, semiconductor, magnetic, opto-magnetic, optical, or other forms of computer readable medium for storing computer readable code. Further, the invention may also cover apparatuses for practicing embodiments of the invention. Such apparatus may include circuits, dedicated and/or programmable, to carry out tasks pertaining to embodiments of the invention. Examples of such apparatus include a general-purpose computer and/or a dedicated computing device when appropriately programmed and may include a combination of a computer/computing device and dedicated/programmable circuits adapted for the various tasks pertaining to embodiments of the invention.
In an embodiment, there are provided methods and systems for detecting a phishing/pharming attack by resolving the target website's IP address, the target website's URL link, and the target website's content into various Autonomous System (AS) paths. These AS paths are then resolved into a plurality of AS numbers. The AS numbers are then compared against one another to detect the presence of possible phishing or pharming attacks.
In an embodiment, the AS-based Phishing Detection Arrangement (APDA) comprises two main components: a client-side agent and an external service. The client-side agent, referred to herein as the AS-based Phishing Detection agent or APD agent, represents the software and/or hardware residing in the user's computer that intercepts attempted website access and suspends such attempt until a determination is made that the attempted access is safe. As the term is employed herein, the user computer can be any network accessible device that is capable of accessing internet sites, e.g., a desktop computer, a laptop or palmtop computer, a cellular phone, an electronic personal digital assistance (PDA) or any other network accessible device. While the attempted access is suspended, the ADP agent forwards the target website's URL link and the target website's IP address to the AS-based Phishing Detection service (APD service).
The target website's IP address is ascertained by the user's computer (in cooperation with DNS servers) from the target website's URL link. For example, if the target website's URL link is “http://otherxyzbank.com/index.html”, the user computer may employ the host name www.otherxyzbank.com, which it ascertains from the target website's URL link, to query DNS servers (or the local DNS cache) and to obtain the target website's IP address. If the URL link is already in IP format, for example, http://1.2.3.4/index.html, DNS resolve is not needed.
For clarification, the target website represents the website that the user is attempting to access. This target website may represent a legitimate website or a sham website that a fraudster has tricked the user into visiting. As the term is employed herein, an autonomous system (“AS”) is one network or sets of networks under a single administrative control. An autonomous system may be, for example, the set of all computer networks owned by a company, or a college. Companies and organizations may own more than one autonomous system, but the idea is that each autonomous system is managed independently for routing purposes, such as for use by routing protocols such as BGP (Border Gateway Protocol). Since it is possible for a company or organization (i.e., entity) to own more than one Autonomous system, the set of autonomous systems owned by a single entity is referred to herein as an Autonomous System group (“AS group”).
An Autonomous System path (“AS path”) is a list of all the autonomous systems that a specific route passes through to reach a destination. The AS path is displayed as a series of autonomous system (AS) numbers separated by spaces, with the originator's AS number at the end of the path, and the next AS hop from the current router's location in the beginning of the path.
The APD service is external to the user computer and may be implemented by servers coupled to the internet, for example. As discussed, the APD service receives the target website's URL link and the target website's IP address from the user's computer to analyze whether the attempted access is safe. For clarity, the target website's URL link and the target website's IP address received from the user's computer are referred to herein as the client-supplied URL link and the client-supplied IP address respectively. The APD service then employs the client-supplied IP address to look up an associated Autonomous System (AS) path. As is known, AS path is built with the last AS number being the seed and additional AS numbers appended to this last AS number as the path is built from AS hop to AS hop. The last AS number in this AS path is designated AS1 and represents the Autonomous System associated with the client-supplied IP address. Autonomous Systems, AS paths and AS numbers will be discussed in details later herein.
The APD then analyzes the client-supplied URL link to resolve a host name, from which an IP address is obtained via DNS servers. For clarity, this IP address, which the APD server resolves from the host name that is included in the client-supplied URL link, is called the server-resolved IP address. The APD service then employs the server-resolved IP address to look up an associated Autonomous System (AS) path. The last AS number in this second AS path is designated AS2. Note that the second AS path is obtained by the APD service independently using the client-supplied URL link (i.e., not from the client-supplied IP address). Accordingly, even if the user's local DNS cache or DNS server service associated with the user is compromised as in the case of a pharming attack, this independent verification would likely result in different AS paths as well as different values for AS1 and AS2 (since AS1 is acquired using the client-supplied IP address and AS2 is acquired using the server-resolved IP address). If AS1 and AS2 do not belong in the same AS group, a pharming attack is deemed to be in progress, and the APD agent is notified so that appropriate remedial steps may be taken.
If these two AS path numbers (AS1 and AS2) belong in the same AS group (i.e., they are AS group peers), it is still possible that a phishing attack exists. Accordingly, a further check is performed. First, the content of the target webpage associated with the client-supplied IP address is analyzed to ascertain the identity of the legitimate host (e.g., xyzbank). Since fraudsters want to deceive their victims into believing that the victim is viewing the website belonging to the legitimate host (e.g., xyzbank), a fraudster would include information on the webpage that would look familiar to the victim in order to avoid raising suspicion. In the example of XYZ bank, the sham webpage presented by the fraudster would include, for example, the logo of XYZ bank, the address and phone numbers of XYZ bank, etc. By analyzing the content of this webpage, it is possible to ascertain the identity of the apparent owner of the website (which may or may not be the same as the actual owner of the website). In the absence of fraud, the apparent owner identity gleaned from the webpage content would be the same as the actual owner of the website, i.e., the legitimate host. If a phishing fraud is being attempted, the apparent owner (i.e., the legitimate host) would be different from the actual owner (i.e., the phisher or fraudster). The legitimate host information is then employed to map into a legitimate host domain name (e.g., xyzbank.com). The legitimate host domain name (e.g., xyzbank.com) is then employed to ascertain the legitimate host's IP address via DNS servers. The legitimate host's IP address is then employed to obtain the AS path. The last AS number of this AS path is designated AS3.
If AS3 and the previously-determined AS1 do not belong in the same AS group (referred to herein as “AS group peers”), a phishing attack is deemed to be in progress, and the APD agent is notified so that appropriate remedial steps may be taken. If AS1, AS2 and AS3 all belong in the same group, then the target website is deemed to be safe for use.
The features and advantages of the invention may be better understood with reference to the figures and discussions that follow. FIG. 1 j shows, in accordance with an embodiment of the present invention, a system-view of the AS-based Phishing/Pharming Detection Arrangement (APDA), including both APD agent 108 and APD service 122. APD agent 108 represents the software agent installed in the client computer 102 (which may include a laptop computer, a desktop computer, a hand-held computing device, or even a web-enabled cell phone) for intercepting attempted website accesses and suspending acting on such attempts until a determination that such attempt is safe has been made.
For example, APD agent 108 may represent a plug-in that works cooperatively with the web browser in client computer 102 to intercept website accesses. However, APD agent may also represent any software and/or hardware implementation that is capable of intercepting a website access attempt and suspending such attempted access until a safe signal is received from APD service before proceeding.
Upon detecting an attempted website access (e.g., when the user clicks on a link that links to “http://www.otherxyzbank.com” or when the user types in the URL “http://www.otherxyzbank.com” into the URL address bar of a web browser) APD agent 108 causes client computer 102 to suspend the attempted access (e.g., by temporarily suspending the attempt by the browser). Next, APD agent 108 or client computer 102 resolves the IP address of the target website (i.e., otherxyzbank.com) by accessing the local DNS cache or DNS servers (which may be provided by the internet service provider or ISP, for example). As mentioned, the IP address is resolved by ascertaining the host name from the URL link, and looking up the IP address using the host name and the local DNS cache or DNS servers. This resolved IP address represents the target website's IP address and is referred to herein as the client-provided IP address (since the client computer obtains this IP address and will subsequently furnishes this IP address to the APD service for detection purposes). The target website's URL link is referred to herein as the client-supplied URL link.
The client-supplied IP address and the client-supplied URL link are then provided to APD front-end server 110 of APD service 122. APD front-end server 110 first employs the client-supplied IP address to resolve down to an AS path. In an embodiment, BGP (Border Gateway Protocol) is employed to ascertain an AS path from a client-supplied IP address. BGP is a well-known protocol and is widely published in publicly available documents including Request for Comments (RFCs), which are documents maintained by the Internet Society or ISOC. RFC 1771 and the subsequent RFC 4271 discuss BGP in details and may be viewed at, for example, the official website (www.ietf.org) for the Internet Engineering Taskforce, also known as the IETF.
Thus, APD front-end server 110 consults BGP table 116 (which represents a database storing BGP table router dump) to determine the AS path from the client-supplied AS path. The last number of the AS path is ascertained and designated AS1. Note that is not absolutely necessary that the BGP table be implemented in a database. While the use of a BGP table can provide IP to AS number mapping. such mappings be implemented by any technology such as database, a program to obtain AS number of a given IP in realtime, etc.
Further, APD front-end server 110 independently resolves the IP address from the client-supplied URL link. This server-resolved IP address is then employed to ascertain a second AS path, using, for example, BGP table 116. The last number of the second AS path is ascertained and designated AS2. Note that since AS1 is acquired using the client-supplied IP address and AS2 is acquired using the server-resolved IP address, AS2 is likely to be different from AS1 if the user's local DNS cache or DNS server service associated with the user is compromised as in the case of a pharming attack.
If AS1 and AS2 do not belong in the same AS group, a pharming attack is deemed to be in progress, and the APD agent is notified so that appropriate remedial steps may be taken.
On the other hand, if AS1 and AS2 belong to the same AS group, the possibility of a phishing attack still exists. In this case, APD front-end server 110 performs a further check by first analyzing the content of the webpage associated with the client-supplied IP address. As discussed, since fraudsters almost always include information on the sham webpage to impersonate the legitimate host, the included information may be employed to ascertain the legitimate host. The legitimate host information is then employed to map into a legitimate host domain name (e.g., xyzbank.com), from which the legitimate host's IP address may be obtained via DNS servers. The legitimate host's IP address is then employed to obtain the AS path. The AS number of this third AS path is designated AS3.
If AS1 and AS3 do not belong in the same AS group, a phishing attack is deemed to be in progress, and the APD agent is notified so that appropriate remedial steps may be taken.
In step 310, the server-resolved IP address is employed to look up the AS path from the BGP database. The server-resolved IP address represents the IP address resolved by the APD service from the host name obtained from the client-supplied URL string. The last AS number from this second AS path is designated AS2.
In step 312, it is ascertained whether AS1 and AS2 belong in the same AS group. If they do not belong in the same AS group (the “NO” branch out of 312), a pharming attack is deemed to be underway, and the APD agent is appropriately warned (324).
On the other hand, if AS1 and AS2 belong I the same AS group (the “YES” branch out of 312), the possibility of a phishing attack still exists. Accordingly, further checks are performed. In step 314, the content of the webpage associated with the client-supplied IP address is analyzed to obtain the identity of the legitimate host. As discussed, the content of the sham webpage almost always includes information about the legitimate host in an effort to deceive the victim into believing that the victim is actually viewing a webpage on the legitimate host's website. Of course, if the webpage in fact belongs to the legitimate host, the information pertaining to the legitimate host would be present. Once the identity of the legitimate host is ascertained, the domain name of the legitimate host may be acquired (using any number of available look-up engines, for example). The domain name is then employed to look up the IP address (using DNS servers for example) and the AS path (using for example BGP tables). The last number of this third AS path is designated AS3.
In step 318, it is ascertained whether AS1 and AS3 belong in the same AS group. If they do not belong in the same AS group (the “NO” branch out of 312), a phishing attack is deemed to be underway, and the APD agent is appropriately warned (322).
On the other hand, if AS1 and AS3 belong in the same AS group (the “YES” branch out of 312), the attempted website access is deemed to be safe, and the APD agent is appropriately notified (320) so that the user's attempted access may now be permitted to proceed.
It is possible to eliminate steps 310, 312, and 324 from FIG. 3 if only phishing detection is desired or if pharming detection by verifying AS1 against AS2 is not deemed necessary. FIG. 4 shows, in accordance with an embodiment of the present invention, a flowchart illustrating the phishing-only detection. Likewise, if only pharming is desired steps 314, 316, 318, 320, and 322 can be eliminated. FIG. 5 shows, in accordance with an embodiment of the present invention, a flowchart illustrating the pharming-only detection.
As can be appreciated from the foregoing, embodiments of the invention employ AS path information to detect phishing and/or pharming attacks. Since AS paths are updated in real time in internet routers, embodiments of the invention can accurately ascertain the existence of a possible attack with a low rate of false alarms even if IP addresses associated with hosts' websites change. In so doing, embodiments of the invention avoid the disadvantages associated with passive, delay-prone approaches such as IP white list or URL signature matching. By requiring the user computer to ascertain the IP address independently from the target website's URL link, and to supply both the client-supplied IP address and client-supplied URL link to the APD service for detection purposes, embodiments of the invention enable the APD service to employ the client-supplied IP address, the client supplied URL link, the server-resolved IP address, and the IP address obtained via content analysis of the webpage pointed to by the client-supplied IP address, to perform independent verifications to efficiently detect phishing and/or pharming attacks.
While this invention has been described in terms of several preferred embodiments, there are alterations, permutations, and equivalents, which fall within the scope of this invention. Although various examples are provided herein, it is intended that these examples be illustrative and not limiting with respect to the invention. For example, although BGP is discussed as the mechanism to ascertain an AS path/AS number from an IP address, the invention is not limited to using BGP and any other approaches for ascertaining an AS path/AS number from an IP address may be employed. It should also be noted that there are many alternative ways of implementing the methods and apparatuses of the present invention. Further, the abstract is provided herein for convenience and should not be employed to construe or limit the overall invention, which is expressed in the claims. It is therefore intended that the following appended claims be interpreted as including all such alterations, permutations, and equivalents as fall within the true spirit and scope of the present invention.
Claims (20)
1. A computer-implemented method for detecting an attempt to perpetrate fraud on a user, the computer-implemented method comprising:
receiving, using a server device, a client-supplied link and a client-supplied IP address from a user computer, said client-supplied link representing a link to a target website which said user computer is attempting to access, said client-supplied IP address representing an IP address ascertained by said user computer to be an IP address associated with said target website;
acquiring a first autonomous system number (“first AS number”) using said server device and using said client-supplied IP address;
acquiring a second autonomous system number (“second AS number”) using said server device and using said client-supplied link;
after said acquiring said first AS number and after said acquiring said second AS number, determining whether said first AS number and said second AS number are autonomous system group peers (“AS group peers”) such that said first AS number and said second AS number belong in a same autonomous system group (“AS group”);
analyzing, using said server device, said client-supplied link to resolve a host name;
obtaining a server-resolved IP address using said server device and said host name;
obtaining a second autonomous system path (“second AS path”) using said server device and using said server-resolved IP address; and
designating the last AS number in said second AS path said second AS number; and
after said determining, if said first AS number and said second AS number do not belong in the same AS group, providing a warning to said user computer to indicate a first potential fraud being attempted.
2. The computer-implemented method of claim 1 wherein said first potential fraud represents pharming.
3. The computer-implemented method of claim 1 wherein said client-supplied IP address is ascertained by said user computer from said client-supplied link using one of a local DNS cache and a set of DNS servers that are external to said user computer.
4. The computer-implemented method of claim 1 further comprising:
obtaining a first autonomous system path (“first AS path”) using said server device and using said client-supplied IP address, and
designating the last AS number in said first AS path said first AS number.
5. The computer-implemented method of claim 4 wherein said first AS path is obtained using data gathered from routers implementing the Border Gateway Protocol (BGP).
6. The computer-implemented method of claim 1 wherein said second AS path is obtained using data gathered from routers implementing the Border Gateway Protocol (BGP).
7. A computer-implemented method for detecting an attempt to perpetrate fraud on a user, the computer-implemented method comprising:
receiving, using a server device, a client-supplied link and a client-supplied IP address from a user computer, said client-supplied link representing a link to a target website which said user computer is attempting to access, said client-supplied IP address representing an IP address ascertained by said user computer to be an IP address associated with said target website;
acquiring a first autonomous system number (“first AS number”) using said server device and using said client-supplied IP address;
acquiring a second autonomous system number (“second AS number”) using said server device and using said client-supplied link;
after said acquiring said first AS number and after said acquiring said second AS number, determining whether said first AS number and said second AS number are autonomous system group peers (“AS group peers”) such that said first AS number and said second AS number belong in a same autonomous system group (“AS group”); after said determining, if said first AS number and said second AS number do not belong in the same AS group, providing a warning to said user computer to indicate a first potential fraud-being attempted; and
analyzing, using said server device, a content of a webpage that is accessed using said client-supplied IP address to ascertain an identity of an apparent owner of said webpage;
acquiring a third autonomous system number (“third AS number”) using said server device and using said identity of said apparent owner of said webpage;
if said first AS number and said third AS number do not represent AS group peers, providing a warning to said user computer to indicate a second potential fraud being attempted.
8. The computer-implemented method of claim 7 further comprising:
obtaining a third autonomous system path (“third AS path”) using said server device and using an IP address that is obtained from a host name that is mapped to said apparent owner; and
designating the last AS number in said third AS path said third AS number.
9. The computer-implemented method of claim 8 wherein said third AS path is obtained using data gathered from routers implementing the Border Gateway Protocol (BGP).
10. The computer-implemented method of claim 8 wherein said second potential fraud represents phishing.
11. An article of manufacture comprising a program storage medium having computer readable code embodied therein, said computer readable code being configured for detecting an attempt to perpetrate fraud on a user, the article of manufacture comprising:
computer readable code for receiving, using a server device, a client-supplied link and a client-supplied IP address from a user computer, said client-supplied link representing a link to a target website which said user computer is attempting to access, said client-supplied IP address representing an IP address ascertained by said user computer to be an IP address associated with said target website;
computer readable code for acquiring a first autonomous system number (“first AS number”) using said server device and using said client-supplied IP address;
computer readable code for acquiring a second autonomous system number (“second AS number”) using said server device and using said client-supplied link;
computer readable code for determining, after said acquiring said first AS number and after said acquiring said second AS number, whether said first AS number and said second AS number are autonomous system group peers (“AS group peers”) such that said first AS number and said second AS number belong in a same autonomous system group (“AS group”) that includes more than one autonomous system;
computer readable code for obtaining a second autonomous system path (“second AS path”) using said server device and using an IP address that is obtained from a host name that is parsed from said client-supplied link;
computer readable code for designating the last AS number in said second AS path said second AS number; and
computer readable code for providing, if said first AS number and said second AS number do not belong in the same AS group, a warning to said user computer to indicate a first potential fraud being attempted, wherein said program storage medium is a non-transitory tangible medium.
12. The article of manufacture of claim 11 wherein said first potential fraud represents pharming.
13. The article of manufacture of claim 11 wherein said client-supplied IP address is ascertained by said user computer from said client-supplied link using one of a local DNS cache and a set of DNS servers that are external to said user computer.
14. The article of manufacture of claim 11 further comprising:
computer readable code for obtaining a first autonomous system path (“first AS path”) using said server device and using said client-supplied IP address; and
computer readable code for designating the last AS number in said first AS path said first AS number.
15. The article of manufacture of claim 14 wherein said first AS path is obtained using data gathered from routers implementing the Border Gateway Protocol (BGP).
16. The article of manufacture of claim 11 wherein said second AS path is obtained using data gathered from routers implementing the Border Gateway Protocol (BGP).
17. An article of manufacture comprising a program storage medium having computer readable code embodied therein, said computer readable code being configured for detecting an attempt to perpetrate fraud on a user, the article of manufacture comprising:
computer readable code for receiving, using a server device, a client-supplied link and a client-supplied IP address from a user computer, said client-supplied link representing a link to a target website which said user computer is attempting to access, said client-supplied IP address representing an IP address ascertained by said user computer to be an IP address associated with said target website;
computer readable code for acquiring a first autonomous system number (“first AS number”) using said server device and using said client-supplied IP address;
computer readable code for acquiring a second autonomous system number (“second AS number”) using said server device and using said client-supplied link;
computer readable code for determining, after said acquiring said first AS number and after said acquiring said second AS number, whether said first AS number and said second AS number are autonomous system group peers (“AS group peers”) such that said first AS number and said second AS number belong in a same autonomous system group (“AS group”) that includes more than one autonomous system; and
computer readable code for providing, if said first AS number and said second AS number do not belong in the same AS group, a warning to said user computer to indicate a first potential fraud being attempted, wherein said program storage medium is a non-transitory tangible medium; and
computer readable code for performing, if said first AS number and said second AS number represent said AS group peers, additional detection by
analyzing, using said server device, a content of a webpage that is accessed using said client-supplied IP address to ascertain an identity of an apparent owner of said webpage,
acquiring a third autonomous system number (“third AS number”) using said server device and using said identity of said apparent owner of said webpage, and
providing, if said first AS number and said third AS number do not represent AS group peers, a warning to said user computer to alert said user of a second potential fraud being attempted.
18. The article of manufacture of claim 17 further comprising:
computer readable code for obtaining a third autonomous system path (“third AS path”) using said server device and using an IP address that is obtained from a host name that is mapped to said apparent owner; and
computer readable code for designating the last AS number in said third AS path said third AS number.
19. The article of manufacture of claim 18 wherein said third AS path is obtained using data gathered from routers implementing the Border Gateway Protocol (BGP).
20. The article of manufacture of claim 18 wherein said second potential fraud represents phishing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/426,554 US8245304B1 (en) | 2006-06-26 | 2006-06-26 | Autonomous system-based phishing and pharming detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/426,554 US8245304B1 (en) | 2006-06-26 | 2006-06-26 | Autonomous system-based phishing and pharming detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US8245304B1 true US8245304B1 (en) | 2012-08-14 |
Family
ID=46613651
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US11/426,554 Active - Reinstated 2029-11-04 US8245304B1 (en) | 2006-06-26 | 2006-06-26 | Autonomous system-based phishing and pharming detection |
Country Status (1)
| Country | Link |
|---|---|
| US (1) | US8245304B1 (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110276716A1 (en) * | 2010-05-06 | 2011-11-10 | Desvio, Inc. | Method and system for monitoring and redirecting http requests away from unintended web sites |
| US20140380477A1 (en) * | 2011-12-30 | 2014-12-25 | Beijing Qihoo Technology Company Limited | Methods and devices for identifying tampered webpage and inentifying hijacked web address |
| US9065850B1 (en) * | 2011-02-07 | 2015-06-23 | Zscaler, Inc. | Phishing detection systems and methods |
| US9344449B2 (en) | 2013-03-11 | 2016-05-17 | Bank Of America Corporation | Risk ranking referential links in electronic messages |
| US20160234245A1 (en) * | 2015-02-05 | 2016-08-11 | Phishline, Llc | Social Engineering Simulation Workflow Appliance |
| US9621582B1 (en) | 2013-12-11 | 2017-04-11 | EMC IP Holding Company LLC | Generating pharming alerts with reduced false positives |
| US9674221B1 (en) * | 2013-02-08 | 2017-06-06 | PhishMe, Inc. | Collaborative phishing attack detection |
| US20170180123A1 (en) * | 2009-06-11 | 2017-06-22 | Microsoft Technology Licensing, Llc | Discovery of secure network enclaves |
| US9906554B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
| US10356106B2 (en) | 2011-07-26 | 2019-07-16 | Palo Alto Networks (Israel Analytics) Ltd. | Detecting anomaly action within a computer network |
| US10425436B2 (en) * | 2016-09-04 | 2019-09-24 | Palo Alto Networks (Israel Analytics) Ltd. | Identifying bulletproof autonomous systems |
| US10574681B2 (en) | 2016-09-04 | 2020-02-25 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of known and unknown malicious domains |
| US20210392162A1 (en) * | 2020-07-31 | 2021-12-16 | Patrick Kidney | Novel dns record type for network threat prevention |
| US11425162B2 (en) | 2020-07-01 | 2022-08-23 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of malicious C2 channels abusing social media sites |
| US11606385B2 (en) | 2020-02-13 | 2023-03-14 | Palo Alto Networks (Israel Analytics) Ltd. | Behavioral DNS tunneling identification |
| US11811820B2 (en) | 2020-02-24 | 2023-11-07 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious C and C channel to fixed IP detection |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020078202A1 (en) * | 2000-12-15 | 2002-06-20 | Tadanao Ando | IP network system having unauthorized intrusion safeguard function |
| US6678717B1 (en) * | 1999-03-22 | 2004-01-13 | Eric Schneider | Method, product, and apparatus for requesting a network resource |
| US20040042596A1 (en) * | 1997-08-29 | 2004-03-04 | Arbinet-Thexchange, Inc. | System and method for IP bandwidth trading |
| US20040148520A1 (en) * | 2003-01-29 | 2004-07-29 | Rajesh Talpade | Mitigating denial of service attacks |
| US20050039086A1 (en) * | 2003-08-14 | 2005-02-17 | Balachander Krishnamurthy | Method and apparatus for sketch-based detection of changes in network traffic |
| US20050198269A1 (en) * | 2004-02-13 | 2005-09-08 | Champagne Andrew F. | Method and system for monitoring border gateway protocol (BGP) data in a distributed computer network |
| US20060021031A1 (en) * | 2004-06-30 | 2006-01-26 | Scott Leahy | Method and system for preventing fraudulent activities |
| US20060069697A1 (en) * | 2004-05-02 | 2006-03-30 | Markmonitor, Inc. | Methods and systems for analyzing data related to possible online fraud |
| US7120934B2 (en) * | 2000-03-30 | 2006-10-10 | Ishikawa Mark M | System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network |
| US20070153763A1 (en) * | 2005-12-29 | 2007-07-05 | Rampolla Richard A | Route change monitor for communication networks |
| US20070206605A1 (en) * | 2006-03-01 | 2007-09-06 | New Jersey Institute Of Technology | Autonomous System-Based Edge Marking (ASEM) For Internet Protocol (IP) Traceback |
| US20070253413A1 (en) * | 2005-10-13 | 2007-11-01 | Jeffrey Citron | Method and system for detecting a change in device attachment |
| US20080028467A1 (en) * | 2006-01-17 | 2008-01-31 | Chris Kommareddy | Detection of Distributed Denial of Service Attacks in Autonomous System Domains |
| US7420958B1 (en) * | 2004-01-30 | 2008-09-02 | Juniper Networks, Inc. | Providing transparent virtual private network connectivity across intermediate networks |
| US7496651B1 (en) * | 2004-05-06 | 2009-02-24 | Foundry Networks, Inc. | Configurable geographic prefixes for global server load balancing |
| US7565426B2 (en) * | 2003-08-07 | 2009-07-21 | Alcatel Lucent | Mechanism for tracing back anonymous network flows in autonomous systems |
| US7966310B2 (en) * | 2004-11-24 | 2011-06-21 | At&T Intellectual Property I, L.P. | Method, system, and software for correcting uniform resource locators |
-
2006
- 2006-06-26 US US11/426,554 patent/US8245304B1/en active Active - Reinstated
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040042596A1 (en) * | 1997-08-29 | 2004-03-04 | Arbinet-Thexchange, Inc. | System and method for IP bandwidth trading |
| US6678717B1 (en) * | 1999-03-22 | 2004-01-13 | Eric Schneider | Method, product, and apparatus for requesting a network resource |
| US7120934B2 (en) * | 2000-03-30 | 2006-10-10 | Ishikawa Mark M | System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network |
| US20020078202A1 (en) * | 2000-12-15 | 2002-06-20 | Tadanao Ando | IP network system having unauthorized intrusion safeguard function |
| US20040148520A1 (en) * | 2003-01-29 | 2004-07-29 | Rajesh Talpade | Mitigating denial of service attacks |
| US7565426B2 (en) * | 2003-08-07 | 2009-07-21 | Alcatel Lucent | Mechanism for tracing back anonymous network flows in autonomous systems |
| US20050039086A1 (en) * | 2003-08-14 | 2005-02-17 | Balachander Krishnamurthy | Method and apparatus for sketch-based detection of changes in network traffic |
| US7420958B1 (en) * | 2004-01-30 | 2008-09-02 | Juniper Networks, Inc. | Providing transparent virtual private network connectivity across intermediate networks |
| US20050198269A1 (en) * | 2004-02-13 | 2005-09-08 | Champagne Andrew F. | Method and system for monitoring border gateway protocol (BGP) data in a distributed computer network |
| US20060069697A1 (en) * | 2004-05-02 | 2006-03-30 | Markmonitor, Inc. | Methods and systems for analyzing data related to possible online fraud |
| US7496651B1 (en) * | 2004-05-06 | 2009-02-24 | Foundry Networks, Inc. | Configurable geographic prefixes for global server load balancing |
| US20060021031A1 (en) * | 2004-06-30 | 2006-01-26 | Scott Leahy | Method and system for preventing fraudulent activities |
| US7966310B2 (en) * | 2004-11-24 | 2011-06-21 | At&T Intellectual Property I, L.P. | Method, system, and software for correcting uniform resource locators |
| US20070253413A1 (en) * | 2005-10-13 | 2007-11-01 | Jeffrey Citron | Method and system for detecting a change in device attachment |
| US20070153763A1 (en) * | 2005-12-29 | 2007-07-05 | Rampolla Richard A | Route change monitor for communication networks |
| US20080028467A1 (en) * | 2006-01-17 | 2008-01-31 | Chris Kommareddy | Detection of Distributed Denial of Service Attacks in Autonomous System Domains |
| US20070206605A1 (en) * | 2006-03-01 | 2007-09-06 | New Jersey Institute Of Technology | Autonomous System-Based Edge Marking (ASEM) For Internet Protocol (IP) Traceback |
Non-Patent Citations (2)
| Title |
|---|
| Cross Site Reference Forgery An introduction to a common web application weakness (http://www.isecpartners.com/files/XSRF-Paper-0.pdf) Jesse Burns ©2005, Information Security Partners, LLC. * |
| Large-Scale Automatic Classification of Phishing Pages|http://www.isoc.org/isoc/conferences/ndss/10/pdf/08.pdf|Colin Whittaker; Brian Ryner; Marria Nazifi| 2008| pp. 1-14. * |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170180123A1 (en) * | 2009-06-11 | 2017-06-22 | Microsoft Technology Licensing, Llc | Discovery of secure network enclaves |
| US20110276716A1 (en) * | 2010-05-06 | 2011-11-10 | Desvio, Inc. | Method and system for monitoring and redirecting http requests away from unintended web sites |
| US8510411B2 (en) * | 2010-05-06 | 2013-08-13 | Desvio, Inc. | Method and system for monitoring and redirecting HTTP requests away from unintended web sites |
| US9065850B1 (en) * | 2011-02-07 | 2015-06-23 | Zscaler, Inc. | Phishing detection systems and methods |
| US10356106B2 (en) | 2011-07-26 | 2019-07-16 | Palo Alto Networks (Israel Analytics) Ltd. | Detecting anomaly action within a computer network |
| US20140380477A1 (en) * | 2011-12-30 | 2014-12-25 | Beijing Qihoo Technology Company Limited | Methods and devices for identifying tampered webpage and inentifying hijacked web address |
| US10819744B1 (en) | 2013-02-08 | 2020-10-27 | Cofense Inc | Collaborative phishing attack detection |
| US9674221B1 (en) * | 2013-02-08 | 2017-06-06 | PhishMe, Inc. | Collaborative phishing attack detection |
| US10187407B1 (en) | 2013-02-08 | 2019-01-22 | Cofense Inc. | Collaborative phishing attack detection |
| US9344449B2 (en) | 2013-03-11 | 2016-05-17 | Bank Of America Corporation | Risk ranking referential links in electronic messages |
| US9635042B2 (en) | 2013-03-11 | 2017-04-25 | Bank Of America Corporation | Risk ranking referential links in electronic messages |
| US9621582B1 (en) | 2013-12-11 | 2017-04-11 | EMC IP Holding Company LLC | Generating pharming alerts with reduced false positives |
| US9871817B2 (en) * | 2015-02-05 | 2018-01-16 | Phishline, Llc | Social engineering simulation workflow appliance |
| US20170264633A1 (en) * | 2015-02-05 | 2017-09-14 | Phishline, Llc | Social Engineering Simulation Workflow Appliance |
| US9699207B2 (en) * | 2015-02-05 | 2017-07-04 | Phishline, Llc | Social engineering simulation workflow appliance |
| US20160234245A1 (en) * | 2015-02-05 | 2016-08-11 | Phishline, Llc | Social Engineering Simulation Workflow Appliance |
| US9906554B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
| US9906539B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
| US10425436B2 (en) * | 2016-09-04 | 2019-09-24 | Palo Alto Networks (Israel Analytics) Ltd. | Identifying bulletproof autonomous systems |
| US10574681B2 (en) | 2016-09-04 | 2020-02-25 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of known and unknown malicious domains |
| US11606385B2 (en) | 2020-02-13 | 2023-03-14 | Palo Alto Networks (Israel Analytics) Ltd. | Behavioral DNS tunneling identification |
| US11811820B2 (en) | 2020-02-24 | 2023-11-07 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious C and C channel to fixed IP detection |
| US11425162B2 (en) | 2020-07-01 | 2022-08-23 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of malicious C2 channels abusing social media sites |
| US20210392162A1 (en) * | 2020-07-31 | 2021-12-16 | Patrick Kidney | Novel dns record type for network threat prevention |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8245304B1 (en) | Autonomous system-based phishing and pharming detection | |
| US10084791B2 (en) | Evaluating a questionable network communication | |
| KR102130122B1 (en) | Systems and methods for detecting online fraud | |
| US9674145B2 (en) | Evaluating a questionable network communication | |
| US9912677B2 (en) | Evaluating a questionable network communication | |
| US9015090B2 (en) | Evaluating a questionable network communication | |
| US9635042B2 (en) | Risk ranking referential links in electronic messages | |
| US8286239B1 (en) | Identifying and managing web risks | |
| US8650103B2 (en) | Verification of a person identifier received online | |
| US8776224B2 (en) | Method and apparatus for identifying phishing websites in network traffic using generated regular expressions | |
| US20130263263A1 (en) | Web element spoofing prevention system and method | |
| US20070055749A1 (en) | Identifying a network address source for authentication | |
| US20060230039A1 (en) | Online identity tracking | |
| US20060070126A1 (en) | A system and methods for blocking submission of online forms. | |
| EP3033865A1 (en) | Evaluating a questionable network communication | |
| US9065850B1 (en) | Phishing detection systems and methods | |
| AU2002340207A1 (en) | Verification of a person identifier received online | |
| JP2008532133A (en) | System and method for detecting and mitigating DNS camouflaged Trojans | |
| WO2006119508A2 (en) | Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources | |
| JP7381341B2 (en) | Optimal scanning parameter calculation method, device, and system for malicious URL detection | |
| AU2006324171A1 (en) | Email anti-phishing inspector | |
| JP4693174B2 (en) | Intermediate node | |
| US7559085B1 (en) | Detection for deceptively similar domain names | |
| WO2019172947A1 (en) | Evaluating a questionable network communication | |
| Mihai | Overview on phishing attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment |
Owner name: TREND MICRO INCORPORATED, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHEN, CHAO-YU;CHEN, TSE-MIN;REEL/FRAME:018237/0327 Effective date: 20060621 |
|
| REMI | Maintenance fee reminder mailed | ||
| LAPS | Lapse for failure to pay maintenance fees | ||
| STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
| FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20160814 |
|
| FEPP | Fee payment procedure |
Free format text: PETITION RELATED TO MAINTENANCE FEES FILED (ORIGINAL EVENT CODE: PMFP); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Free format text: SURCHARGE, PETITION TO ACCEPT PYMT AFTER EXP, UNINTENTIONAL (ORIGINAL EVENT CODE: M1558); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
| MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
| PRDP | Patent reinstated due to the acceptance of a late maintenance fee |
Effective date: 20191016 |
|
| FEPP | Fee payment procedure |
Free format text: PETITION RELATED TO MAINTENANCE FEES GRANTED (ORIGINAL EVENT CODE: PMFG); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
| STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
| MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
| MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |